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A method of symbolic modeling of formal models is considered in the paper. Object of analysis is a domain 
of multi-component concurrent systems specified in basic protocols language. A problem of dynamic 
creation and stopping of agents during state-space exploration is considered. Corresponding algorithm has 
been suggested as an extension of existing forward and backward predicate transformers. It provides ability 
to introduce arbitrary number of concurrent processes in verification and test generation. 
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B ctatTbe pacCMaTpUBaeTCA MCTO CHMBOJIBHOrO MOJICJIMpOBAaHHA (popMasIBHBIX Moyesen. OObekToM aHasn3a 
ABIIACTCA JOMCH MHOTOKOMITOHCHTHBIX WapaJUICJIbBHbIX CHCTCM, OIMCaHHBbIX B A3bIKe Oa30BbIX TIPOTOKOJIOB. 
Paccmotpena TIpoOsiema AMHAaMUYeCcKOrO CO3aHiA WU OCTAaHOBa areCHTOB BO BpeMA o0xoya TIpOCcTpaHcTBa 
COCTOSHHH. IIpeaoxKen COOTBETCTBYIOLUMH asITOPHTM Kak paciivpeHnve CyluecTByIOWMMx UpAMOrO HU 
oOpaTHoro TIpeWKaTHbix TpaHcdopMepos. Ou 7jaeT BO3MOXKHOCTbh BBOXUTb IIPOH3BOJIBHOC KOJIM4CCTBO 
TlapaJIJICIbBHbIX TpOWeCccoB IIpu Bepudukalnu MW renepaluuv TCCTOB. 

Ko1roueBble CJIOBa: CHMBOJIbHOe MOJICJIMPOBAaHNHe, IIPOCTpaHCTBO COCTOSHHH, TlapaJUICIBHbIe CHCTCMBI. 


B cTatTTi po3rsIsHyTO MeTOA CHMBOJIBHOTO MOJCJIOBAHHA (POPMAJIBHUX MOeNeH. OO’eKTOM aHalli3y € JOMeH 
OaraTOKOMIOHCHTHHX MapasiesIbHUX CHCTeM, 3alIMcaHux y MOBI 0a30BHX MpOTOKOUB. PosruaHyro upoOmemy 
J{MHaMIYHOrO CTBOPpeHHA Ta 3YyNHHKH areHTiB Wi yac OOxoxy mpoctopy ctaHis. 3amponoHoBaHo 
BIANOBITHHM aIrOpHTM AK PO3LIMpeHHA icHYIOUHX MIpAMOrO Ta 3BOPOTHOrO IIpeqMKaTHUX TpaHcdopMepis. 
BiH 2a€ MOXKIMBICTL BBOJMTH JOBIIBHY KUIBKICTb NapasieyIbHHX IIpOWeciB Ip Bepupikawil Ta reHepalli TecTIB. 
Kuroyosi c10Ba: CHMBOJIBHE MOJ{eJIOBaHHA, IIpOcTip CTaHiB, MapasiesIbHi CHCTeMH. 


Introduction 


This work is done in a scope of a problem of errors detection in multi-component soft- 
ware and hardware systems. Typically, in multi-process software, processes and threads work 
concurrently, can fork and terminate, use shared memory, send and receive signals. In hardware 
distributed systems, different components can be switched on and off (or appear and disap- 
pear in telecommunication domain) and also communicate using various data channels. 
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Experience of industrial projects shows that significant defects appear at design and coding 
stages and could be missed during testing stage. So, development of abstract models with 
further verification and test generation is an actual task. 

We consider models of multi-component systems specified in a basic protocols langua- 
ge [2]. Every model contains environment with agents which work concurrently asynchro- 
nously and interact between each other by reading and changing attributes. Agents can be 
created and stopped dynamically. Concrete state of the environment consists of a set of values 
of environment attributes, values of attributes of all operating agents and a set of agent names. 
In symbolic modeling we define symbolic state, or simply state, as a set of concrete states 
and specify it by formula of first order logic with multisort predicate calculus. Transitions are 
specified by basic protocols. 


Basic protocols system 


Basic protocol is defined as a Hoare triple Vx(a(r, x) >< P(r,x) > B(r,x)) [1] and 
expresses the following fact: if a state of the environment satisfies preconditiona then the pro- 
cess P may be performed and the state is modified according to postcondition £ (here x —a 
list of (typed) parameters, r — a list of attribute expressions mentioned below). Pre- and 
postconditions are first order logic formulas, postcondition can also contain assignment 
operators and operators for creation and stopping agents. Attribute expression is an attribute 
name of simple type (enumerated or numeric) or a functional expression 7(e1, é2, ...), 
where 7; is a functional attribute (uninterpreted function) or an array name, e1, é2, ... are 
expressions of corresponding types of arguments. 


Environment and agents 


As it’s described above environment state EF consists of first order logic formula D 
and a set of agent names 7. Denote it as a pair: 

f= (TD) 

Attributes of the environment and any operating agents can be accessed in formula D 
but we haven’t defined a set of agent names 7. Agents are separated by types 7; called agent 
types. Every agent type 7; is considered as dynamic enumerated type. Initially, its domain 
contains a set of agent names e’'), 2, ..., e', which are created in initial state. Domain can 
be empty if no agents are created. We can refine definition of pair E as: 

BodT SAO) oe (RT R18 aie bAnegD) 
We will use conjunction operation of environment state with formula F’. It’s defined as: 
(T,D)\F >(T,DaF) 


Predicate transformers 


There is a partial transformation 4: S — S on complete set S of states of considered 
model. A function of state transformation under the action of basic protocol is called 
forward predicate transformer: 

E'= pt(E aa, B) 

Here FE, E' — environment states before and after execution of basic protocol with 

precondition @ and postcondition £. 


DUEAG; P= Ev Ey Vu. 
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Where £;’ is a new pair describing transformed environment state. Disjunction of E;’ 
appears as a result of identification of arguments of functional expressions [4, 6]. 

There is another function of state transformation which restores environment state 
modified by forward predicate transformer under the action of given basic protocol. This 
function is called backward predicate transformer [5]: 

E" = pt''(E',a, B) 

Let’s consider environment transformations while creating and stopping agents during 
modeling. Obviously, when an agent is created by some basic protocol a domain of its agent 
type 7; is extended by new element e¢’,.; — generated name of new agent. When agent is 
stopped all occurrences of its attributes in environment state formula D should be substituted 
by new bounded variables. But there are two approaches to control agent type domain: 

1. The name e’,.; of stopped agent is removed from domain of its agent type 7;. But it’s 
obscure how to transform formula D from environment state with attributes having this 
name as a value (like r= e'n+1) and functional expressions with this name occurring in 
arguments (like f(e',+1)). Should such occurrences be removed from formula D or should 
it be reckoned as a try to access to values that are out of bounds? Anyway, such 
approach is unable to save any information about stopped agents. 

2. Agent type domains are not changed. Here all occurrences of stopped agent name e’,+1 
in formula D stay valid. But there rises another problem of infinite growth of agent 
type domains. 


Taking into account needs of industrial projects we have chosen the second approach 
where information about all operated agents can be saved. Let’s now extend predicate 
transformers for create and stop operators. 


Operators create and stop 


Postcondition {(r,x) can contain a number of create operators in the following form: 
r, = create (T,,u, ); 


r, = create (T,,u,); 


create (T,,u, ); 


create (T,,,,U,.;)5 


where 7; are attributes which change their values to newly generated agent names, 7; — 
agent types, u; — values of special control flow attribute for each created agent. 

Operator stop(x) can appear only once in postcondition. It stops agent with name x 
which is, typically, a parameter of basic protocol. 


Initial environment state 


Introducing create and stop operators implies a need of initial state refinement. First, 
we should generate constraint that, initially, all attributes of agent types can obtain values 
which are names of initial agents only. This constraint should be saved during performing 


create operators. For each simple attribute a of agent type T, = {e{,...,e,} we should add 


L 


constraint ((a = e;) Vv... Vv (a = e' )) to initial formula conjunctively. 
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Consider uninterpreted functions as attributes in a form of f: (Ti, J) > Tj. Here J is 
any simple type excepting agent types. For each such an attribute we add the following 
constraint: 


V(x: Ty: D(a=e)v...va=e,)) > (Fy) =e/) Vv... VS) =e): 


This restriction is evidently extended for functions with arbitrary number of arguments. 


Processing create operators in forward predicate transformer 


Consider agent type 7, = {e/,...,e, | and operator create(T;, u). 

After performing this operator we should generate new constraints for uninterpreted 
functions where new arguments are created. Consider attribute f: (Tj, 1) — T; (here J is any 
simple type excepting agent types). New constraint is (denote it as R): 


R=VO' DS Ea Y= eV Vv CE) =v Say) = eta) Vv): 
Here e’ 


n+l 


is anew generated name. Notice, that we have added all dynamically created 


J 
m+1? 


e! 


m+29°** 


agent names e of type 7; to allowed values of functional expressions in the form 


of f(C, 50). 
Agent type 7; should be extended and constraint R added to formula D: 


create(T; ,u) 


(T, = fei ,...,€, 4 A...,D) Oe oT, = fel. e}A...,DAR), 


(T, = {e,...,e)} A..., (7, )) 
(Ty = {6h 50st Ao VDA = eu) AR) 


n 


Operators create should be processed in the order they appear in the text of postcon- 
dition £ . It should be done before assignments and formula processing. 

If some basic protocol is tried to be applied and it contains parameters of dynamic agent 
types then all values from domains of these types should be allowed including names of dyna- 
mically created agents. 


Processing stop operator in forward predicate transformer 


Operator stop(x) can appear only once in postcondition and means stopping of agent 
x. All functional expressions which correspond to attributes of this agent should be 
substituted by new bounded variables in the environment state formula (like attributes 
changed by assignments or formula in postcondition but without arguments identification 
[4]). Any other functional expressions stay untouched even if they contain the name of 
stopped agent in arguments. Agent type 7; of stopped agent is not changed also: 


ee ea ay Pe eres ie 


n+19° 


J} A...,D) ae >(T. = fe!,...,e! 6! 


n+19° 


Here D’' is the formula D after substitutions mentioned above. 


Symbolic modeling and test generation 


Generally, forward predicate transformer is used in symbolic modeling to explore 
state-space of a model. The result of exploration is a set of traces leading to formulated goals. 
We call this process forward trace generation. 
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Each trace contains symbolic states of the model which are specified by formulas and 
should be refined before test generation [7, 8]. In this task of refinement we use backward 
predicate transformer for reverse passing existing trace from reached goal to initial state. It 
means that we start modeling from goal state where the number of agents is concrete, their 
attributes (including control flow) are defined and domains of agent types are known (all 
names generated in forward mode are presented). Therefore, we suggest to start from 
algorithm for concrete and defined number of agents on each step of modeling. 


Processing stop operator in backward predicate transformer 


In opposite of forward predicate transformer, operator stop(x) in backward should 
create new agent. But it doesn’t affect agent types because agent type 7; of stopped agent is 
not changed in forward. Environment state formula D isn’t changed also because all 
attributes of stopped agent (which are substituted with bounded variables in forward) will 
be restored in further backward trace generation. 

(T, = (6) 0.658, 56) 500. $ A...,D) ——,T, = fei... €1,€. ewes os 


dad stop (41) (oa 


Processing create operator in backward predicate 
transformer in scope of existing trace 


Operator create(T;, uv) extends agent type with created agent and adds restrictions to 
formula D in forward predicate transformer. We need to make reverse actions in backward. 
First, created agent should be detected. Its special control flow attribute necessarily 
should have the value u. As we consider backward predicate transformer in scope of existing 


trace created name can be extracted from this trace. Let it be e’,,. 


i 


Second, the name e’,,, 
Third, the formula should be cleaned from obsolete functional expressions. It’s done 
by their substitution with bounded variables (analogously to attributes changed by assign- 
ments or formula in postcondition but without arguments identification [4, 5]). Functional 
expression is reckoned as obsolete if at least one of its arguments is equal to created agent 
All such functions should be found in formula D and substituted with bounded 


of created agent should be removed from domain of agent type 7;. 


name e' 


n+l ° 


variables. We don’t care about attributes having concrete value e 


’ , because they can obtain 
this value by assignments or postcondition formula in protocols applied after agent creation 
in forward trace generation. So they were changed in that protocols and, in backward trace ge- 
neration, have been substituted by bounded variables earlier. Denote an obtained formula as D": 


FP Shen O ee ede re 


n+29° 


i 


CSG ee, se ie side Wael aD) 


[n,:=]create (T,,u): ea 


Backward trace generation with hidden agents 


Usage of backward trace generation is not restricted by test generation purposes. It 
can be used for reachability checking which is done without preceding forward trace 
generation, i.e. without existing traces and states. 

It implies a problem of unknown number of dynamic agents (generated by operator 
create) in a state which backward trace generation starts from. Dynamic agents which are 
not mentioned in this state are called hidden. The problem lies in basic protocols where 
hidden agents can operate. Such basic protocols can increase a number of operating agents 
infinitely because new hidden agent can be instantiated from a parameter each time. 
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There is a challenge for future work to create algorithms for sensible trace generation 
with hidden agents. In practical usage, the number of hidden agents is bounded by known 
concrete value in initial state. In this case the problem of infinite growth of agents is absent 
and described above algorithms can be used with the only remark: while processing create 
operator in backward predicate transformer, agent to be stopped should be chosen non- 
deterministically from combined set of operating and hidden agents (above, it was taken 
from a trace). 


Examples 

We use forward predicate transformer in the following examples. 
Environment Basic protocol bp1 Basic protocol bp2 
Enumerated types: Precondition: Precondition: 
V:i{vl,v2,v3}; S(sl1,idle) S(sl,idle) a 
Agent types: T, S; a(a = tl) aA Ala = t2) 
Attributes: a:T; Postcondition: 
Initial agents: S(sl,idle) a Postcondition: 
T:{tl,t2}, S:{sl}; create(T, idle) S(s1,end) 


Initial control flow 
attributes: T(tl,idle), 
T(t2, 2016); 

S(s1,idle); 


Table 1. Example 1. 


The question: is bp2 reachable? 

First, we add to initial state the following constraint R:(a = t1 v a = t2). 

Basic protocol bp2 cannot be applied in the initial state because of added constraint. 
After bp/ application agent type 7 is extended by new generated name im. But the attribute 
a has not been changed and initial constraint R remained. Consequently, bp2 is not 
applicable again. Despite of any number of bp/ applications, constraint R is always actual. 

The answer: bp2 is not reachable. 


Let’s modify the example — add some attribute b of agent type T inside the same 

agent type T: 
Agent types: T(b: T), S; 
The following constraint Ro should be added to initial state: 
(a =tlvae=t2) a (tl.b = tl vtl.b = t2) a (t2.b = tl v t2.b = t2) 

After bp/ application (create new 7-agent) this constraint remained and new 

constraint R; should be added for attributes of created agent tn: 
tn.b =-tlov tn.b = t2v-tnsb = tn 


To consider uninterpreted functions let’s add global attribute f- 
Attributes: a:T, f:(V,T)-T; 
The following constraint Ro should be saved in initial state: 
Vxey) CCE Geet = Ge wt (61) Seo) oe Ee SE Eee, = £2) 
(a =tlvae=t2) a (tl.b=tlvtl.b=t2) a (t2.b = tl v t2.b = t2), 
or it can be written as: 


V(t:T, x:V) ((t = tl v t = t2) > (f(x,t) = tl v £(x,t) = t2)) a 
(a=. tl.V a= 02) A. (tlebo= tl v Cl. b= 2) A 2. bs Stl t2.6. = C2). 
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After bp/ application (create new 7-agent with name im) new constraint R; should be 


added: 


V(x:V) (£(x,tn) = tl v £(x,tn) = t2 v £(x,tn) = tn) a 
(tn.b = tl v tn.b = t2 v tn.b = tn) 


Now, consider operator stop. When some agent is stopped all its attributes should be 
substituted by bounded variables (like it’s done with changed attributes in postcondition 
but without argument identification). 


Environment Basic protocol bp1 Basic protocol bp2 
Enumerated types: Precondition: Precondition: 

Vi {vl,v2,v3}; S(sl1,idle) S(sl,created) A 
Agent types: T, S; a(a = tl) a a(a = t2) 
Attributes: a:T, f:T->V; Postcondition: 


Initial agents: 

Teel, t2};, Sits} z 
Initial control flow 
attributes: T(tl,idle), 
T(t2,idle), 


S(sl1,created) A 
create(T, idle) 


Postcondition: 
S(sl,end) a 
f(a) := v3 


S(sl,idle); 
Protocol bp11 Protocol bps 
V(n:T) 
Precondition: Precondition: 
S(sl,idle) T(n, idle) 
Postcondition: Postcondition: 


S(sl,created) A 
a := create(T, idle) 


T(n,idle) A 
stop (n) 


Table 2. Example 2. 


The question is: when is bp2 applicable? 

As we consider agent types as dynamic enumerated types we extend them with new 
elements while performing create operators. But we wouldn't remove created elements 
from agent types after stop operators. 

The answer is: bp2 will always be applicable after first creation of 7-agent (protocols 
bp! or bp11). We can save information about stopped agents in attributes of functional 
types which is useful for users but problematic of searching visited states. After each 
creation of 7-agent by protocol bp/ protocol bp2 can generate more branches. 


Conclusions 


Language of basic protocols has been chosen as a formal representation of analyzed 
models for symbolic modeling. An algorithm for support of dynamic creation and stopping 
of agents has been developed on a base of existing forward and backward predicate 
transformers [4, 5, 6]. It provides ability to deal with unknown number of concurrent 
processes in verification and test generation tasks. 
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RESUME 
S.P. Potiyenko 


Symbolic Modeling of Basic Protocols Systems 
with Arbitrary Number of Agents 


The paper considers a method of symbolic modeling of multi-component concurrent 
systems specified in basic protocols language. Such systems contain environment with 
agents which work concurrently asynchronously and interact between each other via 
shared memory. Agents can be created and stopped dynamically. Symbolic state of the 
system covers a set of concrete states and is specified by formula of first order logic with 
multisort predicate calculus. Transitions of the system are specified by basic protocols. 

An algorithm for support of dynamic creation and stopping of agents has been 
developed on a base of existing forward and backward predicate transformers which are 
functions for symbolic states transformation. It has been specified for verification and test 
generation purposes. It provides ability to analyze systems with arbitrary number of 
concurrent processes. 


Cmamba nocmynuzia 6 pedaxyuro 04.04.2013. 


88 «MckyCCTBCHHBIM HHTeJUICKT»> 2013 Ne 4 


